Bug 22199 - transfig new security issue CVE-2017-16899
Summary: transfig new security issue CVE-2017-16899
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-15 21:06 CET by David Walser
Modified: 2017-12-25 12:16 CET (History)
4 users (show)

See Also:
Source RPM: transfig-3.2.5d-9.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-12-15 21:06:00 CET
Fedora has issued an advisory on December 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCUENJQNHVYLROFSXJPDPPHHAYFYM3Z2/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-12-15 21:06:07 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Shlomi Fish 2017-12-17 08:22:04 CET
Patch applied to the new cauldron package. mga6 and mga5 remaining.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 2 Shlomi Fish 2017-12-19 15:58:38 CET
Updated packages provided for mga6 and mga5. Assigning to QA.

Assignee: shlomif => qa-bugs
Status: NEW => ASSIGNED

Comment 3 David Walser 2017-12-20 01:00:55 CET
(In reply to Shlomi Fish from comment #2)
> Updated packages provided for mga6 and mga5.

Where?  Nothing shows up on pkgsubmit.

Assignee: qa-bugs => shlomif
CC: (none) => qa-bugs

Comment 4 Shlomi Fish 2017-12-20 10:00:42 CET
(In reply to David Walser from comment #3)
> (In reply to Shlomi Fish from comment #2)
> > Updated packages provided for mga6 and mga5.
> 
> Where?  Nothing shows up on pkgsubmit.

see the updates_testing - http://mirror.math.princeton.edu/pub/mageia/distrib/6/x86_64/media/core/updates_testing/ .
Comment 5 David Walser 2017-12-22 19:03:34 CET
Advisory:
========================

Updated transfig package fixes security vulnerability:

An out-of-bounds read flaw was found in the way fig2dev program in Xfig handled
the processing of Fig format files. This flaw could potentially be used to crash
the fig2dev program by tricking it into processing specially crafted Fig format
files (CVE-2017-16899).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16899
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MCUENJQNHVYLROFSXJPDPPHHAYFYM3Z2/
========================

Updated packages in core/updates_testing:
========================
transfig-3.2.5d-8.1.mga5
transfig-3.2.5d-9.1.mga6

from SRPMS:
transfig-3.2.5d-8.1.mga5.src.rpm
transfig-3.2.5d-9.1.mga6.src.rpm

CC: qa-bugs => shlomif
Assignee: shlomif => qa-bugs

Comment 6 Len Lawrence 2017-12-22 22:28:13 CET
Mageia 5 :: x86_64

POC at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881143
$ fig2dev -L tikz transfig.poc
Unknown graphics language tikz
Known languages are:
box cgm eepic eepicemu emf epic eps gbx ge gif ibmgl dxf jpeg latex map mf mmp mp pcx pdf pdftex pdftex_t pic pictex png ppm ps pstex pstex_t pstricks ptk shape sld svg textyl tiff tk tpic xbm xpm 

Updated the package.
$ fig2dev -L tikz transfig.poc
< same message as before >
So not a lot of use.  In the author's test a segfault occurred before the update.

To test this it I tried out xfig to see what the interface looked like.  It is a drawing tool much like any other.  Experimented a bit then found a file shape.fig on the system and opened it in xfig.  Used fig2dev to transform it to a GIF.
$ fig2dev -L gif shape.fig > shape.gif
Used the Mate image viewer eom to display the GIF file and confirmed that it was a copy of the drawing shown by xfig.

This should be enough to show that the package works in Mageia 5 for 64 bits.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => tarazed25

Comment 7 Len Lawrence 2017-12-23 00:27:21 CET
POC at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881143

Updated the package.
No useful information obtained from running the POC.

Installed xfig and created a line drawing with circles and rectangles and saved that to new.fig then converted it to a GIF file..
$ fig2dev -L gif new.fig > new.gif
The GIF displayed correctly.
Processed a file from the system:
$ fig2dev -L eps shape.fig > shape.ps
$ gs shape.ps
showed an embedded postscript version of the original drawing.
$ less shape.ps
%!PS-Adobe-3.0 EPSF-3.0
%%Title: shape.fig
%%Creator: fig2dev Version 3.2 Patchlevel 5d
%%CreationDate: Fri Dec 22 23:20:03 2017
%%For: lcl@belexeuli (Len Lawrence)
%%BoundingBox: 0 0 576 265
%Magnification: 1.0000
%%EndComments
%%BeginProlog
/$F2psDict 200 dict def
$F2psDict begin
$F2psDict /mtrx matrix put
/col-1 {0 setgray} bind def
/col0 {0.000 0.000 0.000 srgb} bind def
...................

Good for mga6 on x86_64

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 8 Len Lawrence 2017-12-23 14:28:50 CET
Mageia 6 :: i586 on vbox.

Installed xfig and copied shape.fig from the host.
Updated transfig.
$ fig2dev -L png shape.fig > shape.png
That produced an empty file.  The same when using a test file generated from xfig.
Tried 
$ fig2dev -L xpm test1.fig > test1.xpm
The resulting image appeared to lack the outer rectangle but this may have been used to define the boundary of the image.
A jpeg conversion failed.  These are probably not regressions but the point does need to be checked.  (Later)

$ fig2dev -L tiff test1.fig > test1.tif
I/O Error: Output File "-" must be seekable
GPL Ghostscript 9.22: Unrecoverable error, exit code 1
Error in ghostcript command
command was: gs -q -dBATCH -dSAFER -sDEVICE=tiff24nc -r80 -g582x422 -sOutputFile=- /tmp/xfig024549.tmpeps > /dev/null < /dev/null

$ fig2dev -L eps shape.fig > shape.ps
That worked and gs could display the postscript file.

$ fig2dev -L svg shape.fig > shape.svg
$ display shape.svg
No problem there.

$ fig2dev -L tk shape.fig > shape
$ wish shape
The shape file is pure tcl code and displays the original image perfectly. 

It looks as if this update works but the OK should be withheld until the failure points have been investigated in the pre-update version.
Comment 9 Len Lawrence 2017-12-23 15:17:44 CET
Mageia 5 :: i586 in vbox

Installed xfig.  Checked transfig before updating.  Vector graphics and script type conversions work for fig2dev but JPEG, PNG and TIFF do not, so the earlier comment about no regressions is vindicated.

Updated transfig and tried similar tests to those in comment 8.
$ fig2dev -L tk shape.fig > shape.tcl
Warning: stick arrows do not work well in Tk.
Warning: stick arrows do not work well in Tk.
Warning: stick arrows do not work well in Tk.
Warning: stick arrows do not work well in Tk.
Warning: stick arrows do not work well in Tk.
Warning: stick arrows do not work well in Tk.
$ fig2dev -L eps shape.fig > shape.ps
$ fig2dev -L xpm shape.fig > shape.xpm
$ fig2dev -L gif shape.fig > shape.gif
$ fig2dev -L svg shape.fig > shape.svg

All resulting images displayed properly using wish, gs, display or eom.

Both 32-bit tests are fine.  Validating the transfig update.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK MGA6-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2017-12-25 11:32:38 CET
advisory added

Keywords: (none) => advisory
CC: (none) => tmb

Comment 11 Mageia Robot 2017-12-25 12:16:54 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0469.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.